1. Field of the Invention
The present invention relates to a method and apparatus for a middleware approach to asynchronous and backward-compatible detection and prevention of Address Resolution Protocol (ARP) cache poisoning, and more particularly, to a method and apparatus for implementing a cache poisoning checker module, driver and user-level application in a streams-based network subsystem to detect and prevent ARP cache poisoning.
2. Description of the Art
Address Resolution Protocol (ARP) cache poisoning is the act of a malicious host/server in the local area network (LAN), of introducing a spurious (i.e., false) Internet Protocol (IP) and/or Ethernet mapping address in another host""s ARP cache. The effect of ARP cache poisoning is that network traffic intended for one host is diverted to a different host or to no host at all. ARP cache poisoning, and thus the diverting of messages from their intended recipients, can be accomplished by ARP xe2x80x9cspoofingxe2x80x9d, that is attacking at a host/server""s ARP cache the assigned addressing routes of the network. Accordingly, ARP spoofing is a serious concern to network managers and participants as ARP spoofing can be used to compromise network security.
There are four ways in which a host""s ARP cache can be poisoned based on root address access in the LAN, that is during the processes of: receiving an address request; receiving an address response; sending an address request; and, sending an address response. As the protocol is stateless, that is, there is no built-in tracking or xe2x80x9cmemoryxe2x80x9d of address requests and/or responses, a malicious host can attack root addresses by any of these processes.
The first way to poison an ARP cache by spoofing is during the process of the receipt of an address request. As ARP implementations cache entries based on the requests they receive, an attacker only has to pretend to be sending out a legitimate address request to poison the ARP cache of the request host recipient. That is, if malicious host A sends out a broadcast ARP request packet for host B, host C might cache the mapping address information about host A based on the request host A has sent out.
The second way of ARP cache poisoning by spoofing is during the process of receiving an unsolicited address response. That is, an address response that is unsolicited (i.e., not associated with an address request) will be honored by an ARP implementation due to the fact it is stateless. Thus, a malicious host has only to independently send an address response ARP packet on the LAN with a spurious mapping address to poison the ARP cache of the response recipient. This unsolicited address response can be broadcast to poison the ARP cache of every host on the LAN.
Rather than send an unsolicited address response, or a spurious address request, a third way in which a host""s ARP cache may be poisoned is by a malicious host waiting until the victim host issues an address request and then responding by sending a spurious address response to that request. In this case, if the host to which the address request was sent (i.e., the legitimate host) responds to that request, there is a race condition that the malicious host may win. In this case, it is the address response that is received later that will supercede the entry in the victim host""s cache corresponding to the address response that is received earlier (i.e., it is overwritten).
A fourth way of ARP cache poisoning by spoofing is when a malicious host sends out both a spurious address request and a spurious address response corresponding to that address request. This may be used to poison a victim host""s ARP cache in the case where a victim host has a partial solution to the poisoning problem and does in fact xe2x80x9crememberxe2x80x9d an address request: either it""s own request or from another host, and only cache""s a response to a xe2x80x9crememberedxe2x80x9d request.
Thus, as can be seen, ARP cache poisoning by root IP and Ethernet address attacks by spoofing can be done quite simply in a number of ways.
Accordingly, the present invention allows for a method and apparatus for detecting and preventing Address Resolution Protocol (ARP) cache poisoning having an implementation in middleware, without any access or change to any operating system source code, and which is asynchronous and backward compatible.
To detect and/or prevent ARP cache poisoning, a Cache Poisoning Checker (CPC) module is implemented in a stream stack pertaining to the ARP and is used to intercept messages containing Internet Protocol (IP) and/or Ethernet addresses traveling both upstream and downstream between servers in the network operating system. Furthermore, a CPC stream driver and CPC user-level application are implemented in a separate stream, the CPC driver providing an interface to and between the user-level application and the CPC module. Both the CPC stream module and the CPC user-level application utilize an algorithm in the prevention and detection of ARP poisoning.
In an embodiment, the present invention is disclosed utilizing as an example a Solaris 2.6 network operating system platform for an environment in which any number of hosts in a LAN communicate using a Transmission Control Protocol/Internet Protocol (TCP/IP) suite over a shared Ethernet.